Share

The EU GDPR will still matter after Brexit: that’s a good thing

The announcement this week from the UK Government that it will largely follow the EU General Data Protection Regulation (GDPR) when the UK leaves the EU has widely been anticipated – UK organisations will face a £17 million fine if they fail to protect against personal data breaches or 4 per cent of global turnover. As one of the firms who participated in the planned reforms and who is already helping a number of organisations implement the GDPR, we believe such reforms are good for UK citizens and, if implemented in the right way by UK industry, good for the UK as a whole.

The announcement also sets out the proposed derogations from the GDPR which the UK wishes to implement into UK law, such as:

Reducing the age at which a child can consent to data processing from 16 to 13 years of age

Creating an exemption from an individual’s right to object to automated decision-making where suitable measures are in place to safeguard individuals’ rights

Extending the right to process personal data relating to criminal convictions and offences to enable organisations other than those vested with official authority to process it

Exempting processing for scientific or historical research, gathering statistics or performing archiving functions in the public interest where compliance would seriously impair their ability to carry out their work.

We agree that, with these proposed derogations, the new Data Protection Bill will provide the UK with one of the most robust, yet dynamic, set of data laws in the world. It will cover both the private and public sector, and will help safeguard essential services in areas like water, energy, transport and health. We also expect that it will also require organisations to show they have a strategy to cover unanticipated events that pose a threat to data protection such as power failures and environmental disasters.

In a global digital economy, users expect their personal information to be respected and managed securely by those who they share it with. We are also seeing that those organisations who embrace the GDPR are forming stronger and improved relationships with their employees, stakeholders and customers. Organisations who demonstrate they care about and respect personal data feel that they will gain a competitive advantage.

The GDPR is a game-changer. Learn how PA is helping clients make the most of this opportunity.

The new bill also recognises the changing nature of what constitutes personal data in the digital economy, including aspects such as IP addresses. Given that the latest legislation around the Investigatory Powers Act covers such definitions of personal identifiers, it makes sense for data protection legislation to be aligned.

Matt Hancock, the Minister of State for Digital, has stated that fines will be a last resort and will not apply to firms that suffered an attack who have put safeguards in place. However, one of the key challenges we see in the implementation of the GDPR is assessing just what constitutes an adequate safeguard. For example, the existing GDPR legislative exposes a number of grey areas, such as how much encryption technology an organisation should use. Partly because of this, organisations have taken matters into their own hands – one firm recently went so far as to delete all of their customer data.

Rather than be viewed with frustration or even alarm, organisations need to think carefully about how they comply with the GDPR. A well thought out plan based on risk assessments will enable organisations to prioritise their response in a targeted way. This will save on scarce time and resources and ensure the business can continue to operate – even thrive – despite the changes underway.